Malware distribution via Dropbox

I’ve seen a “nice” spam campaign that was very successful from my point of view…

  • First of all, I received this email to my corporate account which passed all of our AV/spam and other filters.
  • That email looked actually not too bad (a bit generic, but voicemail systems are this way ;-)
    Untitled 94
  • The interesting fact was that the link goes to dropbox – which is more and more making an inroad into corporate businesses.
  • The link therefore doesn’t raise any suspicion. It is even served “securely” (read “encrypted”) via https://…
  • Even though our gateway based virus scanner failed to detect it, 13 out of 52 AV engines as part of Virustotal detected it:
  • I have to say that Dropbox reacted very quickly and took down the link within hours.
    Untitled 93

The source of the email is listed below…

... some lines removed ...
Received: from X-Virus-Scan: V-
X-Note: Spam Tests Failed:
X-Note: User Rule Hits:
X-Note: Global Rule Hits: G327 G328 G329 G330 G334 G335 G346 G445
X-Note: Encrypt Rule Hits:
X-Note: Headers Injected
Received: ...removed... with ESMTP id 207187012; Tue, 10 Jun 2014 07:43:15 -0500
Message-ID: <>
Date: Tue, 10 Jun 2014 18:16:17 +0530
From: Voice Mail <>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version: 1.0
To: <>
Subject: voice message from 597-599-7866 for mailbox 607
Content-type: text/plain; charset="US-ASCII"
Content-transfer-encoding: 7bit 

You have received a voice mail message from 597-599-7866
Message length is 00:00:37. Message size is 298 KB.

Download your voicemail message from dropbox service (Dropbox Inc.): IjogZmFsc2UsICJzZXJ2ZXIiOiAiZGwuZHJvcGJveHVzZXJjb250ZW50LmNvbSIsICJpdGVtX2lk IjogbnVsbCwgImlzX2RpciI6IGZhbHNlLCAidGtleSI6ICIxeWEwMGx3enQ1aWdpOXEifQ/AANAB ss7_JqczoocZG5p_SjA659fq_BNbEs6hyC4CqDuBA?dl=1 

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>